Configure time service in Server 2008/03 domain

We have a Server 2008 pdc with two virtual servers installed running Server 2003; all our clients are XPPro/SP3. The time for our domain servers and clients is off about 4 minutes. Here is the result of a net time /querysntp cmd on the pdc: time.windows.com,0x9. The same cmd on the other two servers returns this on both: time.windows.com,0x1. What I thought interesting was that when I run that command on my client, it returns the ip address of our firewall router; but, the time on the router is correct where the time on my client is not.

I know messing around with time settings on servers can cause problems in a domain. Can someone help with the proper way to configure our domain time services so everything is on the correct time? Also, can anyone tell me what the 0x1 & 0x9 represent? Just curious.

Anyway, your "main" time server is the one behind "PDC". If the "Type" entry on this machine is still NT5DS, it wasn't updated during the transfer of the role (that happens).
Open a command prompt on this machine, enter

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

This will reset the time service to its default values (it recognizes if the machine is the PDCe); this helps with most time service related problems, btw. The "Type" entry on servername.domainname.local should now be NTP.
Then run the command from above again, and finally start a sync to check if it works okay:
w32tm /config /manualpeerlist:1.2.3.4,0x8
w32tm /resync

The only machine you need to correct this on should be the PDC emulator. This is the only machine on which "net time /querysntp" should return something useful, because the clients should be using the domain hierarchy to sync with the DC authenticating them, in which case they'll ignore a manually configured time server (and DCs will sync with the PDCe).
Check the value "Type" in HKLM\System\CurrentControlSet\Services\W32Time\Parameters. This should be NT5DS on all members and DC except the PDCe, on which it should be NTP.
To configure the PDCe to use your router as time server, open a command prompt and enter
w32tm /config /manualpeerlist:1.2.3.4,0x8
(obviously replacing 1.2.3.4 with your router's IP).
The 0x9 in your current configuration would tell the time service to send requests in client mode, and use SpecialInterval
Check this article for the different values (it's a bitmask, you have to add the values of the features you need):
Time synchronization may not succeed when you try to synchronize with a non-Windows NTP server in Windows Server 2003http://support.microsoft.com/kb/875424

0

ipsbendAuthor Commented: 2009-04-22

Thank you oBdA. Quick question, our pdc's reg key shows NT5DS as the type. how do I know that our pdc is the emulator in our domain? when i log into the server 2008 machine and look at roles, I do not PDCe specifically. I see these roles: AD/DS, DHCP server, DNS server, File Services, Hyper-V, Network Policy and Access Services, & Web Server (IIS). thx!

Managing Active Directory does not always have to be complicated. If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

There is no "PDC" in an AD domain, there are only the 5 FSMO roles, one of which being PDC Emulator.
In the GUI, you can use ADUC to find the PDCe; start the ADUC MMC, and in the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master:
How to view and transfer FSMO roles in Windows Server 2003http://support.microsoft.com/kb/324801

run on the other two, i get this error: 'netdom' is not recognized as an internal or external command,
operable program or batch file.

0

ipsbendAuthor Commented: 2009-04-22

Thanks! Before I run this, you had mentioned previously that to use router as time service I would use this command:w32tm /config /manualpeerlist:1.2.3.4,0x8, where 1.2.3.4 is the ip for our router. Is it good practice to use our firewall router for our time server?

If your router has the correct time and/or is syncing itself with a hardware clock or an external ntp server, and if it offers NTP, then you can certainly use it.
Otherwise check this article and pick a time server near you:
A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internethttp://support.microsoft.com/kb/262680
Or this:
NTP Pool Project > How do I use pool.ntp.org?http://www.pool.ntp.org/en/use.html

If you're syncing with an external time server, note that the sync uses UDP port 123, your firewall needs to allow outbound connections to the ntp server on this port.

0

ipsbendAuthor Commented: 2009-04-22

we have a sonic wall router, TZ190 Wireless Enhanced. Off-hand, do you know where I go to allow that outbound connection? I've gone to the system help manual but can't find instructions. Would it be under "Access Rules"? No worries if you're not familiar with this system; I can research it.

Oh, and I forgot a parameter for the /config commands, sorry; add an /update at the end to inform the time service that the configuration has changed.
w32tm /config /manualpeerlist:1.2.3.4,0x8 /update
For the commands you may already have run, a simply
w32tm /update
should do it.

0

ipsbendAuthor Commented: 2009-04-22

thanks! caught me just in time before running those commands. After running these:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

The type still shows as NT5DS. Does it take a bit to refresh? I refreshed the view and also closed the registry and reopened it.

We just got this new server and I think the old dc is still online. I did check the type for that one as well and it was NT5DS. I've been on all the servers all morning running these time commands so maybe I'm getting that wrong. I'll log in to it again and re-check.

0

ipsbendAuthor Commented: 2009-04-22

So, I was wrong. The type on the old server is NTP. I don't want this to be the time server. I haven't demoted it because I don't know how yet.

0

ipsbendAuthor Commented: 2009-04-22

but when I ran the netdom query fsmo command on the old dc (server1), it showed the PDC as being the new server (server4), which is as it should be.

If you're sure that the new machine is the PDC emualtor, run
w32tm /config /syncfromflags:MANUAL /update
on the machine, that will change it to manual.
Then run a
w32tm /resync
to check if it's syncing correctly.
Accordingly, you could force the W2k3 machine to use the domain hierarchy:
w32tm /config /syncfromflags:DOMHIER /update

Server1 does not hold any roles and yes, demoting is what I want to do. I don't need it as a dc but need it available for me to access. I've been waiting to remove it as a dc because I didn't know how to do it.

This is the error I received when running the resync command on server4:

Sending resync command to local computer
The computer did not resync because no time data was available.

The command from above should have done this:
w32tm /config /syncfromflags:MANUAL /update
You can try to change it manually to NTP, then restart the time service:
net stop w32time & net start w32time
Additionally, run a GPO report in the GPMC and check if there is a policy configuring all machines to use NT5DS (it's in Administrative Templates\System\Windows Time Service\Time Providers).

0

ipsbendAuthor Commented: 2009-04-23

It appears I was successful at manually changing type to NTP and I restarted the time service. The GPO policies for those keys are not configured. So, I should be set now to run these, correct?:

I was able to run the resync command with no errors. The server is now on the correct time. Anyway, I don't know if it was changing the time server or the additional command that fixed it; doesn't matter it's working now :-).

Another question: I had to resync my client manually to get it to match the server time. will the other clients resync at some point automatically or will I have to run a command on them at the station?

"net time /setsntp" should do the same thing as "w32tm /config /manualpeerlist" (that is, write the "ntpserver" value in the Parameters key), but seeing as the type couldn't be changed with w32tm either, there might be a slight problem with w32tm and/or its communication with the time service, for whatever reason.
Anyway, your clients should be syncing automatically (if they're set to NT5DS), just give them a bit of time; the time service only checks periodically.

0

ipsbendAuthor Commented: 2009-04-23

I just noticed that I left out the /update config parameter when I ran the w32tm /config commands. Maybe that's what I was doing wrong?

Yes, that would be a reason, too; without the /update, the time service isn't notified that w32tm changed the configuration and that it should be reloaded. The time service restart, without the "net time /setsntp", would then probably have done it as well.

0

ipsbendAuthor Commented: 2009-04-23

You were terrific and your patience was greatly appreciated. Thanks so much for your help!